I'm able to open a DB using custom parameters set to HMAC = SHA1, KDF = SHA1 and providing the raw key in SQL browser but when using this commands in the SQLCipher CLI I can't decrypt the database.
This is the list of commands I use :
PRAGMA key = "x'MYKEY'";
PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;
PRAGMA cipher_hmac_algorithm = HMAC_SHA1;
select count(*) from sqlite_master;
Could somebody tell me what I'm doing wrong ?
Problem was solved by compiling my own version of sqlcipher. The one provided by Ubuntu wasn't recent enough.
Related
I'm trying to upload a file to S3 and have it encrypted using the SSE-C encryption options. I can upload without the SSE-C options, but when I supply the sse_customer_key options I'm getting the following error:
ArgumentError: header x-amz-server-side-encryption-customer-key has field value "QkExM0JGRTNDMUUyRDRCQzA5NjAwNEQ2MjRBNkExMDYwQzBGQjcxODJDMjM0\nnMUE2MTNENDRCOTcxRjA2Qzk1Mg=", this cannot include CR/LF
I'm not sure if the problem is with the key I'm generating or with the encoding. I've played around with different options here, but the AWS documentation is not very clear. In the general SSE-C documentation it says you need to supply a x-amz-server-side-encryption-customer-key header, which is described as this:
Use this header to provide the 256-bit, base64-encoded encryption key
for Amazon S3 to use to encrypt or decrypt your data.
However, if I look at the Ruby SDK documentation for uploading a file the 3 options have a slightly different description
:sse_customer_algorithm (String) — Specifies the algorithm to use to when encrypting the object (e.g.,
:sse_customer_key (String) — Specifies the customer-provided encryption key for Amazon S3 to use in
:sse_customer_key_md5 (String) — Specifies the 128-bit MD5 digest of the encryption key according to RFC
(I didn't copy that wrong, the AWS documentation is literally half-written like that)
So the SDK documentation makes it seem like you supply the raw sse_customer_key and that it would base64-encode it on your behalf (which makes sense to me).
So right now I'm building the options like this:
sse_customer_algorithm: :AES256,
sse_customer_key: sse_customer_key,
sse_customer_key_md5: Digest::MD5.hexdigest(sse_customer_key)
I previously tried doing Base64.encode64(sse_customer_key) but that gave me a different error:
Aws::S3::Errors::InvalidArgument: The secret key was invalid for the
specified algorithm
I'm not sure if I'm generating the key incorrectly or if I'm supplying the key incorrectly (or if it's a different problem altogether).
This is how I'm generating the key:
require "openssl"
OpenSSL::Cipher.new("AES-256-CBC").random_key
Oh, did you notice that your key contains '\n'? That's most probably why you get the CR/LF error:
QkExM0JGRTNDMUUyRDRCQzA5NjAwNEQ2MjRBNkExMDYwQzBGQjcxODJDMjM0(\n)nMUE2MTNENDRCOTcxRjA2Qzk1Mg=
As mentioned by the colleague in the comments, strict_encode64 is an option, as it complies to RFC 2045.
By the way, I got this insight from here: https://bugs.ruby-lang.org/issues/14664
Hope it helps! :)
First of all, please make sure that you are using the latest version of the SDK (2.2.2.2) from here
So, As I understand while we generate the presigned URL, we have to specify the SSECustomerMethod and when consuming the URL, the "x-amz-server-side-encryption-customer-key" header is set with the customer key, you also need to set the "x-amz-server-side-encryption-customer-algorithm" header.
var getPresignedUrlRequest = new GetPreSignedUrlRequest
{
BucketName = bucketName,
Key = "EncryptedObject",
SSECustomerMethod= SSECustomerMethod.AES256,
Expires = DateTime.Now.AddMinutes(5)
};
var url = AWSClients.S3.GetPreSignedURL(getPresignedUrlRequest);
var webRequest = HttpWebRequest.Create(url);
webRequest.Headers.Add("x-amz-server-side-encryption-customer-algorithm", "AES256");
webRequest.Headers.Add("x-amz-server-side-encryption-customer-key", base64Key);
using (var response = webRequest.GetResponse())
using (var reader = new StreamReader(response.GetResponseStream()))
{
var contents = reader.ReadToEnd();
}
I have been able to use the Ruby code written here Data bag encryption encrypts on Chef server, but how to encrypt local copy? as a basis to encrypt my data bags without having to resort to the knife tool which is great. My problem occurs however with decrypting these encrypting databags as the code written here Data bag encryption encrypts on Chef server, but how to encrypt local copy? doesn't appear to work correctly.
I have successfully downloaded the encrypted databag as a json, converted that to a hash, loaded my symmetrical secret key (which is used for both Chef encryption and decryption) and created a databag using this:
databag_item = Chef::EncryptedDataBagItem.new raw_file_down, secret
If I was to check the class of this databag_item, Ruby tells me it is a Chef::EncryptedDataBagItem object. However when I try to write this to a file
IO.write tmp_item_file, Chef::JSONCompat.to_json_pretty( databag_item.to_hash )
i receive the following error:
Chef::EncryptedDataBagItem::DecryptionFailure: Error decrypting databag value: 'wrong final block length'.
Most likely the provided key is incorrect. When I remove the .to_hash option and do this:
IO.write tmp_item_file, Chef::JSONCompat.to_json_pretty( databag_item)
I receive 233 or a 41. None of these methods produce a decrypted data bag. Can someone please help?
BTW I'm a new user to Chef
This feels like it should be dead simple, yet I'm not having any luck.
The scenario is this: I have a public *.asc key file. I want to use this file (not my personal keyring) to encrypt data on a server, so that I can decrypt it locally with a secret key.
From the command line I can achieve this using gpg, but I'd prefer to use a Ruby library that isn't just a wrapper around the CLI (i.e., presumably one that provides bindings to the C library). I've looked at the GPGME and OpenPGP gems and haven't been able to figure out how to use them. The documentation (especially for OpenPGP) is quite sparse.
Here, for example, is something I've tried using GPGME, without any luck:
key = GPGME::Data.new(File.open(path_to_file))
data = GPGME::Data.new("I want to encrypt this string.")
# Raises GPGME::Error::InvalidValue
GPGME::Ctx.new do |ctx|
e = ctx.encrypt(key, data)
end
Has anyone been through this already? Surely this can't be that complicated?
I believe I've now got this figured out. It was actually just a few simple pieces I was missing:
Initializing the GPGME::Ctx object with a keylist_mode of GPGME::KEYLIST_MODE_EXTERN.
Importing the public key file using GPGME::Ctx#import.
Using GPGME::Crypto#encrypt to perform the encryption and specifying the correct recipient.
So my solution now looks like this:
key = GPGME::Data.new(File.open(path_to_file))
data = GPGME::Data.new("I want to encrypt this string.")
GPGME::Ctx.new(GPGME::KEYLIST_MODE_EXTERN) do |ctx|
ctx.import(key)
crypto = GPGME::Crypto.new(:armor => true, :always_trust => true)
e = crypto.encrypt(data, :recipients => "recipient#domain.com")
end
I am using Code Igniter for my current project.
As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so.
What should I go with?
Using a salt
Or should I use bcrypt
Also, if bcrypt is recommended, then how to use it with Code Igniter?
EDIT
I have put these files in application/libraries
PasswordHash.php
c/Makefile
c/crypt_private.c
In my controller, I am using this code -
$params = array(
'phpass_hash_strength' => 8,
'phpass_hash_portable' => FALSE
);
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);
I am getting these errors -
A PHP Error was encountered
Severity: Notice
Message: Uninitialized string offset: 3
Filename: libraries/PasswordHash.php
Line Number: 116
A PHP Error was encountered
Severity: Warning
Message: strpos() [function.strpos]: Empty delimiter
Filename: libraries/PasswordHash.php
Line Number: 116
Update
Removed PasswordHash.php, using SimpleLoginSecure now.
Use bcrypt. This discussion came up here in the comments to my answer. You can use a library such as phppass to really simplify the password encryption.
On the matter of salt. Use it! Otherwise somebody can simply go to this site and download the rainbow tables that will cover the large majority of passwords the average users chooses. Especially with all the security leaks in the last few months, now is not the time to be saying you won't use something as simple to implement as random salt.
UPDATE
To use PHPPass with CI, download and extract the files from the phppass website, linked above. Put the PasswordHash.php file into your CI application/libraries directory.
In your code, you then load the library via: $this->load->library('PasswordHash',array(8, FALSE));
Hashing passwords is then as simple as $this->PasswordHash->HashPassword($password);
To later check if a password is correct, it is as simple as:
$password = $_POST['password'];
$actualPassword = /*Get the hashed password from your db*/;
$check = $this->PasswordHash->CheckPassword($password, $actualPassword);
I've taken this demo from http://dev.myunv.com/articles/secure-passwords-with-phpass/ which gives you a lot more informations. I've modified that tutorial slightly to utilize CI's loader which is why you don't need the include or new statements.
why use md5() when it is just as easy to use sha1() ?
Also salting the passwords is always a good idea as it effectively removes the threat of a Rainbow Table attack
In my experience a salted SHA1 hash is pleanty secure for 99% of web application situations.
Code Igniter has changed since the time this question was asked. But for the benefit of some who may not have come across the extensive documentation of CI or haven't seen this before, CI has an encryption class which provides a two-way data encryption using the Mcrypt library of PHP.
After initializing the class using:
$this->load->library('encrypt');
You can encrypt as follows:
$msg = 'My secret message';
$encrypted_string = $this->encrypt->encode($msg);
and decrypt as follows:
$encrypted_string = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';
$plaintext_string = $this->encrypt->decode($encrypted_string);
CI also has a non-decodable 1-way hashing:
$hash = $this->encrypt->sha1('Some string');
For more information see:
http://www.codeigniter.com/user_guide/libraries/encryption.html
Disclaimer: I don't actually know anything about nether Oracle nor Java. The issue is in a project that some other developer completed at some point in time and then left the company. Now I have to setup webserver, database and get it all up and running.
the code is approx this:
OracleDataSource ods = new OracleDataSource();
ods.setURL("jdbc:oracle:thin:<user>/<password>#localhost:1521:xe");
OracleConnection ocon = (OracleConnection)ods.getConnection();
OracleStatement stmt = (OracleStatement)ocon.createStatement();
OracleResultSet rs = (OracleResultSet)stmt.executeQuery("SELECT POLLID, QUESTION, ISMULTISELECT FROM POLL WHERE POLLID = " + pollID);
if (!rs.next()) {
System.out.println("No rows found.");
return false;
}
this._PollID = rs.getInt("POLLID");
this._Question = rs.getString("QUESTION");
this._IsMultiSelect = rs.getBoolean("ISMULTISELECT");
The POLLID and ISMULTISELECT columns return correct values as expected. The QUESTION seem to always return empty string. The value in the DB is obviously not empty.
The rs.getAsciiStream("QUESTION").available() also returns zero.
Am I missing something completely obvious here?
EDIT:
sqlplus returns varchar2 value just fine
connecting via odbc (as opposed to thin) also makes things work
so no Exceptions, you are not using reserved words...maybe try to use other driver, or select into other table and experiment start with empty QUESTION column, then add some value and debug.
Thanks to everyone who replied. At this point it seems issue is between thin driver and XE version of Oracle. Unfortunately we don't have full version kickin' around (we are primarily ASP.NET/MS SQL developers), so we'll have to stick with ODBC driver for now and hope issue will magically resolve itself when we push it to live environment (hosted by third party). Very crappy assumption to make, but at this point I see no other options....
I had the same exact issue and found that the root of the problem comes from the orai18n.jar. once i removed this from my classpath, the issue went away.
I have the same problem. I do not have access to the driver that is used because the connection is taken from a Weblogic server using JNDI. I cannot remove any .jar from the server neither.
The workaround I found :
String value = new String(resultset.getBytes());
Make sure you use the right encoding if required :
String value = new String(resultset.getBytes(), [CHARSET])
I had this same issue with eclise GCJ ( Stock centos6 ) and mysql-connector with the same concatenated queries. The problem was solved with reverting back to openJDK.
I had the same issue. "getInt()" would return correct value from Oracle 9i DB, but using "getString()" would result into empty string, no matter how many times i ran, within eclipse or outside on seperate Tomcat or other servers.
After going through a lot of various threads, and quite a few trials, I came to the conclusion that the issue is with the version of ojdbc6.jar that I was using. Earlier, I was using ojdbc6.jar with Oracle version 12.1.0.1., which is not so good for connecting to OLD Oracle 9i DB. After realising, I switched on to ojdbc6.jar from Oracle 11.2.0.3 and it worked like a charm.
Hope it helps. cheers!